Skip navigation, view page content

OSU masthead and toolbar

The Ohio State University
www.osu.edu
  1. Help
  2. Campus map
  3. Find people
  4. Webmail

Ohio State University logo


Political Science Department Intranet

 

Encrypted Backups for Mac

5 December 2008

Encryption is something that people are becoming more and more aware of as a need and so this technology has been developing continually over the last year. There are several options to back up that I will share.

First, there is online backup to the internet. This is offered through services such as MobileMe from Apple and MozyHome from Mozy (www.apple.com/mobileme, https://mozy.com). The advantage of these is that they are stored online and can be accessed from anywhere. Plus they are off-site so if your apartment burns down you are still safe. The disadvantage of these is that they cost a lot of money ($99/yr for 20GB with MobileMe, $3.95+$.50/GB per month for Mozy). You can always pay for more space. Other disadvantage could be that you are entrusting your files to someone else (depending how personal or undisclosed you want them to be this could be scary).

Second, there is third party software. Knox is a secure encryption and backup program (www.knoxformac.com). It uses encrypted disk images to secure files much like True Crypt or PGP would. Knox appears to be much more integrated with OSX and has backup in mind. The advantage of this is that you have a great deal of control over what gets secured and where it is stored. All of this could be done manually using Disk Utility but third party software takes a lot of the headache out of it. The disadvantage is you have to be wary about where you put things as it must be in the secure area, anything outside will not be protected. Also we will need to configure the backups to make sure we are getting everything we want. This adds some intentionality about it and getting setup.

Third, there are the built-in features FileVault and Time Machine. FileVault automatically protects your Home folder by encrypting the whole contents. This secures all personal files unless you manually move them somewhere else. Time Machine automatically backs up your entire computer. Both of these are easy to use, free, and easy to setup. It is true that both work better by themselves than together but progress has continued to be made on this, particularly since 10.5.2, and I would recommend upgrading all Apple software to the latest. All they require is an attached external hard drive. All changes on your computer will be backed up hourly and changes in your FileVaulted Home folder will be saved during logout. It is important to have your Time Machine drive plugged in while you logout as often as possible. In your backups your Home folder will be saved as an encrypted disk image (just like Knox) which will require your password to be accessed. (Do not forget your password and please set a Master Password). Another advantage of this is since it is the most common scenario getting support and troubleshooting will be the easiest.

Based on these options, I would go with the third unless there really is something in one of the other ones that makes it definitively worthwhile. Unfortunately, encryption adds complications and risks but we know that not using it can be very risky also, especially in terms of University policy and data.

Recovering Data with FileVault and Time Machine

A couple of things work differently with Time Machine when FileVault is enabled. First, your home folder is only backed up when you are logging out instead of every hour as it does for the rest of the hard drive. This is due to the way FileVault stores your home folder as an encrypted volume. So it is very important to have your external drive connected as often as possible and to log out often to reclaim free space and back up your documents. Second, you cannot use the Time Machine interface to recover individual files. You can use the interface to recover your entire home folder or you can manually recover individual files.

Recovering Individual Files

Use Finder to open your external Time Machine drive and open the folder Backups.backupdb.

Go to the partition name that your home folder is located and open it.

You will see all of the Time Machine snapshots listed by date. You may choose how far back you need to recover or choose Latest to go to the most recent one.

After opening the folder with your hard drive name and the users folder (these folders are typically called Macintosh HD and Users), your home folder will be shown as an image. This image is encrypted and called yourusername.sparsebundle.

Double clicking the image file will require you to enter your account login password. With a successful password your home folder backup will mount and you can copy individual files off to your computer. Do not copy any file onto the backup as this can create problems with Time Machine.

Recovering Files When the Login Password is Forgotten

If you have forgotten or lost your account login password then you will not be able to get past the password prompt in the instructions above. There is a way to get around this if the FileVault Master Password was set on the backed up machine. OS X 10.5 stores this key on the Time Machine back up at Backups.backupdb -> partition name -> Latest -> hard drive name -> Library -> Keychains -> FileVaultMaster.keychain.

Double click this file to open the keychain. The key is now loaded and needs to be unlocked. Click on the lock icon, it will require your Master Password. This enables you to open any of the user folder images on the Time Machine backup without their login password.

To prevent casual access to those backups again, you can lock the FileVaultMaster keychain by clicking on the lock again. This prevents OS X from using the keychain without someone entering the Master Password again and re-enables the password prompts for the encrypted backup volumes.

 
Copyright 2009 - Department of Political Science - The Ohio State University